HTTP Authentication - WWW-Authenticate header - multiple realms

Question

Does anyone have any experience of supporting multiple realms in HTTP Authentication?

The Microsoft website states:

Each authenticate respon

Answer 1

The HTTP specification allows for multiple WWW-Authenticate challenges to be present in a response, either within the same WWW-Authenticate header or using multiple WWW-Authenticate headers within the same response.

There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.

I've never tried with multiple realms (and the same scheme, for example Basic), but I'm not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.

Answer 2

I have one good example using multiple authenticate headers when using a sharepoint site. The Sharepoint offer both Negotiate and NTLM when connecting first.

Firefox chooses NTLM but Chrome chooses Negotiate.

It is also a consequence that Chrome will always send the Authorization header along with the other requests but Firefox only at the beginning because of the NTLM challange-response protocol. See here more explanation http://www.innovation.ch/personal/ronald/ntlm.html